Through SaaS (Software as a Service), companies can access a wide range of IT services in the cloud on a pay-as-you-go basis. At the price, however, of a total loss of control over the data stored within these services, which remain under the control of the service publisher or cloud operator.

However, there is a solution for regaining control over this data: Client-Side Encryption (CSE). With CSE, information is encrypted on the client side before being sent to the host’s servers, which do not have the necessary keys to decrypt it. So, your sensitive data remains safe.

Rapid deployment among hyperscalers

Client Side Encryption has been around for a long time. Still, publishers have only recently taken up the subject, particularly the major cloud service providers such as Google and Microsoft. This interest has been driven by the demands of an ever-increasing number of companies concerned about protecting their strategic data but also by texts such as the RGPD, which strictly regulates the protection of the personal data of these companies’ customers.

Whether at Google or Microsoft, the arrival of Client-Side Encryption is gradual but rapid, with solutions that are “seamless”, well integrated, easy to activate, and with little impact on users (thus reducing change management efforts to a minimum). Implementing Client-Side Encryption remains an economic challenge, however, as some SaaS service providers have built their model around the exploitation of their customers’ data. But it is also a technical challenge, particularly when it comes to managing identities and encryption keys.

How do I deploy Client Side Encryption?

Before activating CSE within SaaS services such as Microsoft 365 or Google Workspace, two solutions will need to be put in place:

• An Identity Provider (IdP), responsible for authenticating users must be deployed outside the control of the cloud operator on which you wish to activate CSE.

• A Key Management System (KMS) manages encryption keys and must be under your exclusive control; otherwise, your entire security strategy will collapse.

Cosmian kms is a tool you can deploy on local servers or in the cloud via a confidential virtual machine. It is available directly from the marketplaces of the major hyperscalers: AWS, Google Cloud and Microsoft Azure. Cosmian kms is natively compatible with client-side encryption offered on Google Workspace and Microsoft 365. It can also manage the keys used to encrypt your storage units, e-mails, or any other applications. Cosmian KMS is open source, auditable, and verifiable.

Secure your data in the SaaS today with Cosmian kms. Deploy it now from your preferred cloud marketplace and ensure your sensitive information stays protected!

Direct access:  AWS, Google Cloud, and Microsoft Azure.
Contact us for more information.